Feeds

back to article Apple and world HACKED by Facebook plunderers

Apple, Facebook and "hundreds of other companies" have had their Mac computers hacked in a sophisticated campaign mounted by an unknown adversary. Attackers were able to infect Apple, along with other businesses around the world with Mac malware delivered via a Java zero-day vulnerability, Reuters reported on Tuesday, after …

COMMENTS

This topic is closed for new posts.

Page:

Pirate

"This is the first really big attack on Macs,"

So... it was a Big Mac Attack?

23
0

Re: "This is the first really big attack on Macs,"

No, that happened over at Burger Kings twitter feed.

10
0
Anonymous Coward

Re: "This is the first really big attack on Macs,"

Mac OS-X, over 1800 vulnerabilities and counting. That's 4 times more than windows XP and almost as bad a Linux dsitribution! And Mac users generally don't have antivirus wrapped round their Swiss Cheese of an OS either....

7
6

Re: "This is the first really big attack on Macs,"

Mutter mutter, something about horses, *jazz hands*

2
0
Silver badge

Re: "This is the first really big attack on Macs,"

GNU/Linux is developed in the open, so it will look like they have many bugs as one can see them all. Some bug won't even be a GNU or Linux issue, they'll be integration issues for a particular distro. Also, many of these bugs will be duplicates as various distros have a bug reported to them (a new ticket) which then gets filed with upstream (might be a new ticket, might join an existing one). This is before we get into the severity of said bugs. The projects are co-operative units, not closed and secretive monoliths like Apple and MS.

MS is cagey about what bugs they have and their publicly known list is probably a subset of the true picture.

I would have expected Apple to be the same if not even more anti-open, but as you cite no sources I guess we will just have to take what you say with a very large pinch of salt.

As for anti-virus - all PCs should run anti-virus, if only to protect Windows from itself.

1
0
Anonymous Coward

Re: "This is the first really big attack on Macs,"

The total of 1800 is only referring to security vulnerabilities - not integration issues or other bugs . Like it or not, Linux distributions tend to have the highest vulnerability totals of any OSs. Even the Linux kernel alone has over 900 known vulnerabilities - about twice the total of the whole of Windows XP!

2
5
Silver badge

Re: "This is the first really big attack on Macs,"

I'll type this slowly. Publicly admitted. And I find it funny you ate comparing a dead OS to a living kernel which supports more hardware, more filesystems, more...

1
0

Re: "This is the first really big attack on Macs,"

XP is still on extended support - http://windows.microsoft.com/en-US/windows/products/lifecycle

Indeed it would seem to be pretty widely used still - http://en.wikipedia.org/wiki/Usage_share_of_operating_systems

0
0
Silver badge

Re: "This is the first really big attack on Macs,"

It dies (or is currently expected to) next year. It's no longer sold. That is so close to "dead" as makes no odds.

Just because idiots still usr IE6 does not make it any less dead either.

Comparing XP (developed in secret and near EOL) to the Linux kernel 3.8 (developed in public and still living) is not comparing like with like.

0
0
Windows

Life without Java

Boy, am I glad I ditched Java a few years ago. I haven't missed it either.

3
0
Anonymous Coward

Re: Life without OS-X

Boy, am I glad I ditched OS-X a few years ago. I haven't missed it either.

11
5
Happy

Re: Life without Java

For a moment there I thought I was at risk then I realised I removed Java years ago when I realised I didn't need it any more.

0
0
Silver badge

Re: Life without Java

Java on the server is fine.

Java on the client would be fine if it wasn't managed by Oracle.

0
0
Anonymous Coward

Re: Life without OS-X

Yes, makes me glad i run Windows....

1
2
Bronze badge
Trollface

Re: Life without OS-X

Sorry but OS9 is far better to ditch than OSX

0
0
Bronze badge

No....No, their MUST be some mistake. Macs are immune to such things, remember? Jobs said so.

26
3
Silver badge
Gimp

So did that nice looking young man in the commercial: http://www.youtube.com/watch?v=M3Z386vXrt4

7
0
Anonymous Coward

There's a difference between malware or viruses and a very co-ordinated hack attempt.

2
18
Anonymous Coward

Yes, the difference is what you call it. Basically you got p0wned...

13
2
Coat

reality distortion field

now he is dead his reality distortion field is no longer protecting Apple

1
0
Silver badge
Trollface

@Taylor1

Not just Jobs, millions of fanois said so too!

1
0
Anonymous Coward

Where's my popcorn?

Macs are invulnerable, most secure computers, etc, etc.....

17
4
Silver badge

Re: Where's my popcorn?

Yeah I poke a sharp stick at the fanbois about this on another page, but in general Macs really are more secure than Windows. Which is what makes this such a complete clusterfuck - it was an obvious hole even Windows fanbois saw it coming.

The bigger problem now is, Apple's a big company and it took them too long to find this. Given that the kernel is built on an OSS *nix core, have the hackers also been able to penetrate other *nix distributions/installs which have so far gone undetected? Given that we know neither what changes Apple made to the core nor enough details of the attack for your typical admin to check for the malware on his systems (beyond: are you running Java, which like it or not most business do) it's a bit unsettling. Gut says most of those systems are still secure (greater variety, admins tend to be more security aware, lower desktop distribution), but the brain wants proof and it can't get it.

0
0
Anonymous Coward

Shoring up CISPA

Merkins need a credible "cyber"-threat so that they pass CISPA more easily - that's why the fingers are pointing at CPLA.

0
5
Holmes

A Mac Attack

Article to deflect attention to Google or Samsung in three...two...one...

3
1
Bronze badge
Meh

FaceBook gets hit? F'em.

So press headlines let Apple know big players are getting hit, then Apple says "disable Java" for a cure all fix, then Apple only decides to issue a fix AFTER they too have been affected?

Apparently security and code auditing is a burden for "IT Artists". No matter, it does explain where a large chunk of their cash pile has come from...lax security.

OFF TOPIC: Does Apple have to hire BSD/Linux guru's to fix their system? Or do they have a security team?

0
0
Silver badge
FAIL

Re: FaceBook gets hit? F'em.

Er, no. They disabled older versions of the Java plug-in as there was a known exploit (however the new version of the Java plug-in wasn't yet released to java.com when they updated the blocklist meaning for a while all Java plug-ins were blocked) and they disabled this malware when they had a signature for it.

0
0
Gold badge

Re: FaceBook gets hit? F'em.

ISTR that Apple do not let a vanilla Java distribution go straight to Macs. They take the new version, wave a magic cat over it for a few weeks (or whatever it is they do) and then release their approved version, now with more fruit.

I guess someone's spotted that Macs are the target of choice for Java vulns, as they're likely to have their knickers down for rather longer than other platforms, due to this delay while the wizards of Cupertino scry their runes.

0
0
jai
Silver badge

Here's an article that describes where to look on your mac to see if it's got the malware. Apparently the site that was hacked to distribute the malware was a "mobile developers website"

They're suggesting that the idea was to allow them to inject malicious code into the code being developed for mobiles, rather than trying to hack mobiles directly.

http://reviews.cnet.com/8301-13727_7-57570100-263/new-mac-malware-opens-secure-reverse-shell/

3
0
Silver badge
Alert

DARPA wants more money

With the sequester looming the goons over at DARPA are making sure that the Nation knows just how important it is to invest in cyber-espionage. Just imagine what the PLA could do with all those LoLCats pictures, or, heaven forfend, actually bring down the LoLCats servers!

1
1
Anonymous Coward

When did getting hacked become chic?

Everyone who visited the site with a vulnerable configuration got hacked... whether it was a Facebook or Apple engineer, or someone's granny who was there accidentally looking for mobility aids....

This appears to be the new thing.... we are gradually becoming crap so we make out that dangerous people are out to get us to make us appear sexy again!

All it shows is that Apple and Facebook developers need as much help as everyone else from the internet to do their jobs...

2
0
Mushroom

Not just Macs is it..

This being a Java exploit, it affects everyone who still has Java enabled under any OS - Windows, Linux, FreeBSD, etc - not just those running Mac OS X.

Let's see who admits being attacked next.

1
4
LDS
Silver badge

Re: Not just Macs is it..

No, if the vulnerability is used to download and run native code - as it looks, the attack was targeted at Macs, not anyone running Java.

3
0
Silver badge

@LDS

No, all old java code, possibly new stuff too although hopefully Oracle fixed it. The attack detailed here is specific to the Mac, and the Macs had a particular affinity for it since Apple hadn't updated the code. But the vulnerability itself was in Java. Once you've got the Java exploit worked out, you can engineer other attacks on other systems. Put those attacks at different locations and you get multiple feeders. Then people going 'it's just a Mac attack' or 'it's just a Windows attack' will ignore their own vulnerabilities allowing your malware to spread further. If I were a State sponsor of cyber attacks, it's certainly the route I'd go. Thankfully for the world I'm just a help desk monkey and slightly dyslexic so math and I don't get along as well as I'd like.

0
0

Practice safe browsing

Apple (or Microsoft) can't really be blamed for security vulnerabilities in third-party software, Adobe Flash and Java being egregious culprits.

That's why I disable Flash and Java in my primary browser (Chrome) and only have them enabled on my secondary browser (Safari) that I use to visit sites that absolutely require either, and then only under duress (normally I will just ditch a site that requires Flash or Java, or won't work with cookies disabled, as that is not acceptable in the 21st century). I also make sure the bug-ridden Adobe Reader never makes it onto my computers.

The best approach would be for browsers to run all plugins in a virtualized sandbox where they cannot do any harm, but the engineering effort to do something like this would be daunting, essentially duplicating the functionality of VMware, and non-portable to boot.

0
3
Silver badge

Re: Practice safe browsing

They don't make it easy though.

Disable Java in chrome

Click the little iching symbol on the toolbar - well the three horizontal lines that means 'heaven' or settings

The select settings

Then click the show advanced settings link

Then click the content settings button (hint this is the one that is a heading not a link)

Then scroll down to plug-ins in the popup window

The click the disable individual plugins link (we are back to links now)

Then find Java and click disable

To quote Douglas Adams .... Have you ever thought of going into advertising ?

1
1

Re: Practice safe browsing

How about just doing this instead..

1) Type chrome://plugins into url bar,

2) Click on "disable" beside the java plugin

1
0
Silver badge

Re: can't really be blamed for security vulnerabilities in third-party software

So long as it remains third party software that is completely under control of the users, yes. Make it part of the OS and not something the user can fix and that changes to a big fat NO.

0
0
Gold badge
Windows

"Microsoft declined to comment."

Presumably because they're all too busy dressing up as Munchkins for a corporate rendition of "Ding Dong the Witch is dead." from "The Wizard of Oz".

4
0
Gold badge
Happy

Re: "Microsoft declined to comment."

Well it would be a tad embarrassing if MS had to admit they'd been hacked too. As that would be tantamount* to admitting they do their developing on Macs...

I wonder if MS will now send a nice present to Oracle. Perhaps a new yacht for Larry, with a pirate flag with an apple impaled on the top of the pole.

0
0

This post has been deleted by its author

Anonymous Coward

I'm a Mac user, and I say:

Lalalalalalalalalalalalalalalalalala.......

0
0
Anonymous Coward

Pack 'em up...

...and ship the perps off to prison for 15 years.

0
0
Anonymous Coward

Wouldn't have happened with Windows 8

Mac, Linux etc - anything based on Unix is just utter horsetripe compared to the years of honing Microsoft have done on developing a secure modern kernel. Windows 8 is the pinnacle of that, and those of us who run it are deeply happy and safe in the knowledge that there are no threats out there that can touch us.

0
1
(Written by Reg staff) Silver badge

Re: Wouldn't have happened with Windows 8

Great to see someone sticking up for Windows 8. Except in this case, it was a Java 0-day. Or are you saying Win8 can block JVM holes?

C.

1
0
Anonymous Coward

Re: Wouldn't have happened with Windows 8

Windows 8 employs a sophisticated AEFU layer (Anti-Ellison-F**K-Up - sorry Larry it's under your watch now) which sniffs out JVM holes and blocks them by injecting incredibly elegant java classes which intercept miscreants and route the badness into the ether via JNI. *Only* the geniuses at Microsoft can write code like that.

0
0
Bronze badge

Re: Wouldn't have happened with Windows 8

He means Windows 8 can't run Java. Or, rather, Internet Explorer 10 in Windows Store mode doesn't run browser plug-ins, except for the Adobe Flash plug-in. Zero-days and all.

Java, Flash, and many other protocols that run in a web browser or handle downloaded files and also have access to the desktop system are potential holes in your computer security colander, I mean cordon. No, I was right with colander. But it's also true of documents for Microsoft Orifice. That's why those tools have to be patched as well. And it's true of WebGPUsr whatever that's called. Giving the Internet access to your graphics hardware is awfully unwise.

If these things need to be done, then they should be done for selected highly trusted web sites only. Or for no web sites. You can run Java and Flash as separate desktop applications with useful results.

0
0

The Reality...

Linux has security flaws

OS-X has security flaws

Windows has security flaws

Unless an operating system kernal is locked/controlled to such an extent that the user cannot run or perform any task not explictly defined by the original development then there will still be flaws, and even then I wouldn't garuantee it would be 100% secure from any future attacks

And that's the point, it's all a balance between security and functionality. Mainframes are more secure because the only tasks allowed have been pre-defined. Personal computers are designed to let users have as much functionality/flexibility as possible.

1
0

Re: The Reality...

Now you need to be careful RainForestGuppy - there's no place for a reasoned, common sense, point on El Reg.

It should be a foaming-at-the-mouth rant against whichever OS/phone/slablet device and/or manufacturer you don't personally support!

2
0
Thumb Up

Re: The Reality...

Hmmm mainframes are probably more secure because you don't use them to browse sites on the internet.

0
0

Page:

This topic is closed for new posts.